Is it unsafe to put php in the /wp-content/uploads directory?
https://wordpress.stackexchange.com/questions/385256
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Pretty straight forward question, but I'll provide any clarifications needed.
The reason I'm asking is this: I created a child theme that pulls in a custom-functions.php file. This allows devs to customize the site without editing the child theme. I know that's the purpose of a child theme, but for the sake of brevity I won't go into the reasoning behind all that.
I put custom-functions.php in /wp-content/uploads/customizations. Is this a security risk? And if so, what's a better place to put it. I don't want to put it in my child theme because it'll get overwritten when the theme is updated.
Solution
Yes it is unsafe, though not for the reasons you think. DO NOT DO THIS.
If your developers can upload a PHP file to your site that gets executed, then that PHP file can undo all other security measures that you put in place. The location of the file is irrelevant. Functionally, there is no difference from editing plugins directly.
Additionally, a common security enhancement is to prevent PHP execution in the uploads folder, and assume any PHP in the uploads folder is malicious.
Either way, your proposed development process is highly unusual and problematic. I strongly advise against this. Moving the files uploaded to another folder will not improve security.
Do not let developers upload PHP to the uploads folder. It is not a good idea.
